Discussion:
[ubuntu-us-mi] Linux.com
Wolfger
2009-05-13 14:05:01 UTC
Permalink
Got the site re-launch e-mail last night or this morning. Created a
group for the LoCo if anybody cares:
http://linux.com/community/groups/viewgroup/100-Ubuntu+Michigan+LoCo
--
Wolfger
http://wolfger.wordpress.com/
http://twitter.com/wolfger
http://identi.ca/wolfger

The world is a mess, and I just... need to rule it.
Mike Ward
2009-05-13 19:30:37 UTC
Permalink
Ugh, when registering, they sent my password back to me in plaintext.
Stupid. You'd think something like "linux.com" would be a little more
concerned about that sort of thing.
Post by Wolfger
Got the site re-launch e-mail last night or this morning. Created a
http://linux.com/community/groups/viewgroup/100-Ubuntu+Michigan+LoCo
--
Wolfger
http://wolfger.wordpress.com/
http://twitter.com/wolfger
http://identi.ca/wolfger
The world is a mess, and I just... need to rule it.
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20090513/5dd33bd7/attachment.htm
Greg Grossmeier
2009-05-13 22:01:54 UTC
Permalink
Post by Mike Ward
Ugh, when registering, they sent my password back to me in plaintext.
Stupid. You'd think something like "linux.com" would be a little more
concerned about that sort of thing.
Seriously! That means my password is also stored in plain text in
their database. Throw-away passwords only for this site.

Greg
Chris Heiden
2009-05-13 22:13:05 UTC
Permalink
Have you voiced your concern with them? I found an error on the sote
earlier and they responded to my email within 6 hours.
Post by Greg Grossmeier
Post by Mike Ward
Ugh, when registering, they sent my password back to me in plaintext.
Stupid. You'd think something like "linux.com" would be a little more
concerned about that sort of thing.
Seriously! That means my password is also stored in plain text in
their database. Throw-away passwords only for this site.
Greg
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
Mike Ward
2009-05-13 22:54:10 UTC
Permalink
I hadn't, I have to admit. I have now.

- Mike
Post by Chris Heiden
Have you voiced your concern with them? I found an error on the sote
earlier and they responded to my email within 6 hours.
Post by Greg Grossmeier
Post by Mike Ward
Ugh, when registering, they sent my password back to me in plaintext.
Stupid. You'd think something like "linux.com" would be a little more
concerned about that sort of thing.
Seriously! That means my password is also stored in plain text in
their database. Throw-away passwords only for this site.
Greg
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20090513/5af3a11b/attachment.htm
Mike Ward
2009-05-14 02:41:24 UTC
Permalink
They responded already, actually. Points to them for promptness.

"Our team informs me that they have a solution for this in place that will
be going into tonight's build for the site."

- Mike
Post by Mike Ward
I hadn't, I have to admit. I have now.
- Mike
Post by Chris Heiden
Have you voiced your concern with them? I found an error on the sote
earlier and they responded to my email within 6 hours.
Post by Greg Grossmeier
Post by Mike Ward
Ugh, when registering, they sent my password back to me in plaintext.
Stupid. You'd think something like "linux.com" would be a little more
concerned about that sort of thing.
Seriously! That means my password is also stored in plain text in
their database. Throw-away passwords only for this site.
Greg
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20090513/849d60e0/attachment.htm
Greg Grossmeier
2009-05-14 03:23:28 UTC
Permalink
Post by Mike Ward
They responded already, actually. Points to them for promptness.
"Our team informs me that they have a solution for this in place that will
be going into tonight's build for the site."
Nice! Maybe I will stick around longer to see how this whole
linux.com social networking site works out :)

Btw: http://linux.com/community/profile?userid=1490 is me.
And
http://linux.com/community/groups/viewgroup/100-Ubuntu+Michigan+LoCo
is the group for the Michigan LoCo.

-Greg
Matt Michielsen
2009-05-14 14:05:13 UTC
Permalink
Looks like they're still storing in plain-text. Here's their fix:

Password: [not sent for your security]

I'm surprised they're not embracing OpenID or some other open authentication
standard.

-mm
Post by Greg Grossmeier
Post by Mike Ward
They responded already, actually. Points to them for promptness.
"Our team informs me that they have a solution for this in place that
will
Post by Mike Ward
be going into tonight's build for the site."
Nice! Maybe I will stick around longer to see how this whole
linux.com social networking site works out :)
Btw: http://linux.com/community/profile?userid=1490 is me.
And
http://linux.com/community/groups/viewgroup/100-Ubuntu+Michigan+LoCo
is the group for the Michigan LoCo.
-Greg
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20090514/9bc2602b/attachment.htm
Greg Grossmeier
2009-05-14 14:43:15 UTC
Permalink
Post by Matt Michielsen
Password: [not sent for your security]
I'm surprised they're not embracing OpenID or some other open authentication
standard.
Who wants to email them regarding that issue? :)

Greg
Scott Moser
2009-05-14 14:56:18 UTC
Permalink
Post by Matt Michielsen
Password: [not sent for your security]
Unless you've looked at their source, you don't actually know that
they're storing it in plaintext. You only know that they sent you an
email with a string that you provided them with.

They could just send you the plaintext value, and store the hashed, then
once email is sent they'd never see that plaintext again.

In that case, the above would be a "real" fix.
Matt Michielsen
2009-05-14 16:24:16 UTC
Permalink
You're absolutely right. I definitely have my doubts about their care
for/knowledge of basic security practices after sending out passwords
through email. However, it looks like they're using Joomla, which uses MD5
password encryption by default. I guess I shouldn't be so cynical.
Post by Scott Moser
Post by Matt Michielsen
Password: [not sent for your security]
Unless you've looked at their source, you don't actually know that
they're storing it in plaintext. You only know that they sent you an
email with a string that you provided them with.
They could just send you the plaintext value, and store the hashed, then
once email is sent they'd never see that plaintext again.
In that case, the above would be a "real" fix.
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20090514/a84075c9/attachment.htm
Bradley McMahon
2009-05-14 18:23:46 UTC
Permalink
MD5 you say?, I guess I'll brute force the password later today then.
Bradley McMahon
Post by Matt Michielsen
You're absolutely right. I definitely have my doubts about their care
for/knowledge of basic security practices after sending out passwords
through email. However, it looks like they're using Joomla, which uses MD5
password encryption by default. I guess I shouldn't be so cynical.
Post by Scott Moser
Post by Matt Michielsen
Password: [not sent for your security]
Unless you've looked at their source, you don't actually know that
they're storing it in plaintext. You only know that they sent you an
email with a string that you provided them with.
They could just send you the plaintext value, and store the hashed, then
once email is sent they'd never see that plaintext again.
In that case, the above would be a "real" fix.
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
--
ubuntu-us-mi mailing list
ubuntu-us-mi at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-us-mi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-us-mi/attachments/20090514/8975de47/attachment.htm
Loading...